WP-Safety

Maspik – Ultimate Spam Protection Security & Risk Analysis

wordpress.org/plugins/contact-forms-anti-spam

No more fake leads or unwanted submissions — Maspik blocks spam instantly across all forms without using CAPTCHA.

30K active installs v2.7.2 PHP 7.0+ WP 5.0+ Updated Mar 11, 2026
anti-spamantispamblacklisthoneypotspam
96
A · Safe
CVEs total8
Unpatched0
Last CVESep 9, 2025
Plugin page Download
Safety Verdict

Is Maspik – Ultimate Spam Protection Safe to Use in 2026?

Generally Safe

Score 96/100

Maspik – Ultimate Spam Protection has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Sep 9, 2025Updated 23d ago
Risk Assessment

The "contact-forms-anti-spam" plugin v2.7.2 presents a mixed security posture. While it demonstrates good practices such as a significant number of capability checks and a high percentage of prepared SQL statements, there are notable areas of concern. The presence of three AJAX handlers without authentication checks, coupled with seven taint flows involving unsanitized paths and four high-severity taint flows, suggests potential vulnerabilities that could be exploited. The plugin's history of eight known medium-severity CVEs, including common types like Missing Authorization and Cross-Site Scripting, indicates a pattern of past security weaknesses. Although there are currently no unpatched CVEs, this history, combined with the current code analysis findings, warrants caution. The plugin has strengths in its output escaping and nonce checks, but the identified unprotected entry points and taint issues necessitate careful monitoring and potential remediation.

Key Concerns

  • 3 AJAX handlers without auth checks
  • 7 taint flows with unsanitized paths
  • 4 high severity taint flows
  • 8 known CVEs (medium severity)
  • 1 dangerous function (unserialize)
Vulnerabilities
8

Maspik – Ultimate Spam Protection Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
3 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
8

8 total CVEs

CVE-2025-9979medium · 4.3Missing Authorization

Maspik <= 2.5.6 - Authenticated (Subscriber+) Missing Authorization to Spam Log Export

Sep 9, 2025 Patched in 2.5.7 (49d)
CVE-2025-9888medium · 4.3Cross-Site Request Forgery (CSRF)

Maspik <= 2.5.6 - Cross-Site Request Forgery

Sep 9, 2025 Patched in 2.5.7 (1d)
CVE-2024-53806medium · 4.3Cross-Site Request Forgery (CSRF)

Maspik – Spam blacklist <= 2.2.7 - Cross-Site Request Forgery to Plugin Settings Change

Dec 2, 2024 Patched in 2.2.8 (10d)
CVE-2024-9182medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Maspik – Spam blacklist <= 2.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 2, 2024 Patched in 2.1.3 (241d)
CVE-2024-25101medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Maspik – Spam blacklist <= 0.10.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Feb 12, 2024 Patched in 0.10.7 (3d)
CVE-2023-48272medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Maspik – Spam blacklist <= 0.9.2 - Unauthenticated Stored Cross-Site Scripting via efas_add_to_log

Nov 21, 2023 Patched in 0.9.3 (63d)
CVE-2023-48271medium · 5.3Use of Less Trusted Source

Maspik – Spam blacklist <= 0.10.3 - Bypass

Nov 21, 2023 Patched in 0.10.4 (63d)
CVE-2023-24008medium · 4.3Cross-Site Request Forgery (CSRF)

Maspik – Spam blacklist <= 0.7.8 - Cross-Site Request Forgery

Feb 27, 2023 Patched in 0.7.9 (330d)
Code Analysis
Analyzed Mar 16, 2026

Maspik – Ultimate Spam Protection Code Analysis

Dangerous Functions
1
Raw SQL Queries
27
35 prepared
Unescaped Output
186
534 escaped
Nonce Checks
28
Capability Checks
33
File Operations
3
External Requests
14
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialize_array = @unserialize($raw_data);admin\partials\maspik-log.php:202

SQL Query Safety

56% prepared62 total queries

Output Escaping

74% escaped720 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

9 flows7 with unsanitized paths
weekly_api_to_maspik_request_callback (includes\statistics-data.php:22)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Maspik – Ultimate Spam Protection Attack Surface

Entry Points25
Unprotected3

AJAX Handlers 25

authwp_ajax_maspik_submit_feedbackadmin\class-maspik-admin.php:444
authwp_ajax_maspik_block_ipadmin\maspik-statistics.php:21
authwp_ajax_maspik_block_multiple_ipsadmin\maspik-statistics.php:22
authwp_ajax_maspik_block_countryadmin\maspik-statistics.php:23
authwp_ajax_maspik_block_domainadmin\maspik-statistics.php:24
authwp_ajax_maspik_block_multiple_domainsadmin\maspik-statistics.php:25
authwp_ajax_maspik_block_multiple_countriesadmin\maspik-statistics.php:26
authwp_ajax_maspik_handle_playground_formincludes\forms\playground.php:9
noprivwp_ajax_maspik_handle_playground_formincludes\forms\playground.php:10
authwp_ajax_delete_filterincludes\functions.php:122
authwp_ajax_maspik_delete_rowincludes\functions.php:175
authwp_ajax_maspik_not_spamincludes\functions.php:312
authwp_ajax_Maspik_allow_sharing_actionincludes\functions.php:1455
authwp_ajax_Maspik_dismiss_notice_actionincludes\functions.php:1474
authwp_ajax_maspik_dismiss_pointerincludes\functions.php:2007
authwp_ajax_maspik_reset_settingsincludes\functions.php:2443
authwp_ajax_maspik_load_templateincludes\functions.php:2546
authwp_ajax_maspik_generate_ai_secretincludes\functions.php:2628
authwp_ajax_maspik_clear_ai_logsincludes\functions.php:2653
authwp_ajax_maspik_dismiss_matrix_enabled_noticeincludes\functions.php:2806
authwp_ajax_maspik_dismiss_matrix_disabled_noticeincludes\functions.php:2863
authwp_ajax_maspik_whats_new_seenincludes\functions.php:2892
authwp_ajax_maspik_enable_matrix_from_noticeincludes\functions.php:2914
authwp_ajax_maspik_hide_matrix_widgetincludes\functions.php:2995
authwp_ajax_maspik_dismiss_blacklist_merge_noticeincludes\functions.php:3058
WordPress Hooks 102
actioninitadmin\class-maspik-admin.php:43
actionadmin_menuadmin\class-maspik-admin.php:440
actionadmin_noticesadmin\class-maspik-admin.php:520
actionadmin_noticesadmin\class-maspik-admin.php:531
actionadmin_noticesadmin\class-maspik-admin.php:540
actionadmin_noticesadmin\class-maspik-admin.php:549
actionadmin_menuadmin\maspik-statistics.php:18
actioninitcontact-forms-anti-spam.php:65
filterplugin_row_metacontact-forms-anti-spam.php:68
actionupgrader_process_completecontact-forms-anti-spam.php:208
actionadmin_footer-plugins.phpcontact-forms-anti-spam.php:224
actionmaspik_refresh_proxy_ip_rangesincludes\class-maspik-client-ip.php:278
actionadmin_enqueue_scriptsincludes\class-maspik.php:226
actionwp_dashboard_setupincludes\dashboard-statistics.php:532
actionadmin_initincludes\disable-comments.php:10
filtercomments_openincludes\disable-comments.php:33
filterpings_openincludes\disable-comments.php:34
filtercomments_arrayincludes\disable-comments.php:37
actionadmin_menuincludes\disable-comments.php:40
actioninitincludes\disable-comments.php:45
filterbitform_filter_form_validationincludes\forms\bitform.php:271
actionwp_footerincludes\forms\bitform.php:275
filterbreakdance_form_run_action_store_submissionincludes\forms\breakdance.php:13
filterbreakdance_form_run_action_emailincludes\forms\breakdance.php:14
filterbreakdance_form_run_action_webhookincludes\forms\breakdance.php:15
filterbreakdance_form_run_action_custom_javascriptincludes\forms\breakdance.php:16
filterbreakdance_form_run_action_mailchimpincludes\forms\breakdance.php:17
filterbreakdance_form_run_action_popupincludes\forms\breakdance.php:18
filterbreakdance_form_run_action_slackincludes\forms\breakdance.php:19
filterbreakdance_form_run_action_dripincludes\forms\breakdance.php:20
filterbricks/form/validateincludes\forms\bricks.php:8
actionbp_signup_validateincludes\forms\buddypress.php:69
actionbp_before_registration_submit_buttonsincludes\forms\buddypress.php:93
filterwpcf7_validateincludes\forms\cf7.php:45
filterwpcf7_form_elementsincludes\forms\cf7.php:241
filtermaspik_validate_custom_form_fieldsincludes\forms\custom.php:56
actionelementor_pro/forms/validationincludes\forms\elementor.php:47
filtereverest_forms_process_initial_errorsincludes\forms\everest.php:3
actioneverest_forms_frontend_outputincludes\forms\everest.php:122
filterfluentform/validation_errorsincludes\forms\fluentforms.php:9
filterfluentform/validate_input_item_input_textincludes\forms\fluentforms.php:68
filterfluentform/validate_input_item_input_emailincludes\forms\fluentforms.php:89
filterfluentform/validate_input_item_phoneincludes\forms\fluentforms.php:113
filterfluentform/validate_input_item_textareaincludes\forms\fluentforms.php:138
filterfluentform/rendering_formincludes\forms\fluentforms.php:143
filterfrm_validate_entryincludes\forms\formidable.php:8
filterfrm_validate_field_entryincludes\forms\formidable.php:53
filterfrm_validate_field_entryincludes\forms\formidable.php:73
filterfrm_validate_field_entryincludes\forms\formidable.php:97
filterfrm_validate_field_entryincludes\forms\formidable.php:119
filterforminator_custom_form_submit_errorsincludes\forms\forminator.php:8
actionforminator_render_form_submit_markupincludes\forms\forminator.php:118
filtergform_field_validationincludes\forms\gravityforms.php:47
filtergform_submit_buttonincludes\forms\gravityforms.php:220
actionhello_plus/forms/validationincludes\forms\helloplus.php:11
actionjet-form-builder/form-handler/before-sendincludes\forms\jetform.php:5
filterjet-form-builder/before-render-fieldincludes\forms\jetform.php:130
filtermf_after_validation_checkincludes\forms\metform.php:50
filterninja_forms_submit_dataincludes\forms\ninjaforms.php:55
actionninja_forms_before_containerincludes\forms\ninjaforms.php:204
actionwoocommerce_after_checkout_validationincludes\forms\woocommerce-orders.php:263
filterpreprocess_commentincludes\forms\wp-general.php:141
filtercomment_form_submit_buttonincludes\forms\wp-general.php:168
filterregistration_errorsincludes\forms\wp-general.php:228
filterwoocommerce_registration_errorsincludes\forms\wp-general.php:336
actionregister_formincludes\forms\wp-general.php:387
actionwoocommerce_register_formincludes\forms\wp-general.php:392
actionwpforms_process_beforeincludes\forms\wpforms.php:16
actionwpforms_process_validate_textincludes\forms\wpforms.php:92
actionwpforms_process_validate_nameincludes\forms\wpforms.php:93
actionwpforms_process_validate_emailincludes\forms\wpforms.php:119
actionwpforms_process_validate_phoneincludes\forms\wpforms.php:136
actionwpforms_process_validate_textareaincludes\forms\wpforms.php:158
filterwpforms_display_submit_beforeincludes\forms\wpforms.php:178
filteradmin_footer_textincludes\functions.php:1097
actionadmin_footerincludes\functions.php:1100
actionadmin_initincludes\functions.php:1121
actioncfas_daily_api_refreshincludes\functions.php:1151
actionafter_setup_themeincludes\functions.php:1168
filteradmin_body_classincludes\functions.php:1295
actionadmin_noticesincludes\functions.php:1452
actioninitincludes\functions.php:1481
actionadmin_post_Maspik_export_settingsincludes\functions.php:1491
actionadmin_post_Maspik_import_settingsincludes\functions.php:1557
actionadmin_post_Maspik_spamlog_download_csvincludes\functions.php:1706
actionadmin_footerincludes\functions.php:1954
actionadmin_enqueue_scriptsincludes\functions.php:1956
actionadmin_footerincludes\functions.php:2256
actionadmin_enqueue_scriptsincludes\functions.php:2561
actionadmin_initincludes\functions.php:2708
actionadmin_initincludes\functions.php:2718
actionadmin_noticesincludes\functions.php:2791
actionadmin_noticesincludes\functions.php:2849
actionwp_dashboard_setupincludes\functions.php:2981
actionadmin_noticesincludes\functions.php:3037
actionwp_footerincludes\spam-block.php:1033
actionregister_formincludes\spam-block.php:1034
actioninitincludes\statistics-data.php:20
actionweekly_to_r_maspik_requestincludes\statistics-data.php:109
actioninitincludes\statistics-data.php:125
actionweekly_spam_logs_requestincludes\statistics-data.php:189
actionadmin_initlicense\license.php:11

Scheduled Events 3

cfas_daily_api_refresh
weekly_to_r_maspik_request
weekly_spam_logs_request
Maintenance & Trust

Maspik – Ultimate Spam Protection Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version7.0
Downloads837K

Community Trust

Rating94/100
Number of ratings83
Active installs30K
Alternatives

Maspik – Ultimate Spam Protection Alternatives

Akismet Anti-spam: Spam Protection

Akismet Anti-spam: Spam Protection

akismet

A
99

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs
Antispam Bee

Antispam Bee

antispam-bee

A
100

Sophisticated antispam plugin for effective daily comment and trackback spam-fighting. Built with data protection and privacy in mind.

700K 1 CVE
CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

A
100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs
reCaptcha by BestWebSoft

reCaptcha by BestWebSoft

google-captcha

A
98

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs
Gravity Forms Zero Spam

Gravity Forms Zero Spam

gravity-forms-zero-spam

A
100

Enhance your Gravity Forms to include anti-spam measures originally based on the work of David Walsh's "Zero Spam" technique.

100K No CVEs
Developer Profile

Maspik – Ultimate Spam Protection Developer Profile

yonifre

6 plugins · 41K total installs

76
trust score
Avg Security Score
83/100
Avg Patch Time
85 days
View full developer profile
Detection Fingerprints

How We Detect Maspik – Ultimate Spam Protection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-forms-anti-spam/admin/css/maspik-admin-styles.css/wp-content/plugins/contact-forms-anti-spam/admin/js/maspik-admin-scripts.js/wp-content/plugins/contact-forms-anti-spam/frontend/css/maspik-frontend-styles.css/wp-content/plugins/contact-forms-anti-spam/frontend/js/maspik-frontend-scripts.js/wp-content/plugins/contact-forms-anti-spam/license/css/license.css/wp-content/plugins/contact-forms-anti-spam/license/js/license.js
Script Paths
/wp-content/plugins/contact-forms-anti-spam/admin/js/maspik-admin-scripts.js/wp-content/plugins/contact-forms-anti-spam/frontend/js/maspik-frontend-scripts.js/wp-content/plugins/contact-forms-anti-spam/license/js/license.js
Version Parameters
contact-forms-anti-spam/admin/css/maspik-admin-styles.css?ver=contact-forms-anti-spam/admin/js/maspik-admin-scripts.js?ver=contact-forms-anti-spam/frontend/css/maspik-frontend-styles.css?ver=contact-forms-anti-spam/frontend/js/maspik-frontend-scripts.js?ver=contact-forms-anti-spam/license/css/license.css?ver=contact-forms-anti-spam/license/js/license.js?ver=

HTML / DOM Fingerprints

CSS Classes
maspik-admin-menu-iconmaspik-admin-logomaspik-admin-titlemaspik-dashboard-widget-contentmaspik-spam-log-table
HTML Comments
<!-- Maspik - Ultimate Spam Protection --><!-- Maspik License Options -->
Data Attributes
data-maspik-honeypot
JS Globals
MaspikAjaxmaspik_vars
FAQ

Frequently Asked Questions about Maspik – Ultimate Spam Protection